msimg32.dll is reported as infected by w32.rogue.gen

After installing the Microsoft Windows 8.1 updates this morning (KB3000850 and KB3011750), webroot reported msimg32.dll as infected by w32.rogue.gen.

I think this is perhaps a false positive as I had run manual scans prior and had no threats detected until just today?

icon

Best answer by Rakanisheu19 November 2014, 18:32

EDIT just seen your reply! Glad to hear your back up and running. I have to fix my own Win 8.1 VM which I have completely destroyed :D My shift is just finished if you have any further issues please reply to the support ticket.

I think this is perhaps a false positive as I had run manual scans prior and had no threats detected until just today?Hello azayaka,

Welcome to the Community!

I've done some research of this and here's what I've found. I don't want to alarm you though because I could be wrong.

he W32.Rogue.Gen is a nasty computer infection classified as a Trojan virus, and sneaks in the computers by using the holes in the security of the system. Once installed, the W32.Rogue.Gen modifies the browser settings on your system in order to gain the complete control of your online activity. There are many different ways through which you can get this infection inside your system including the social networks, bundled downloads, and spam email attachments. No matter how good antivirus you are using, there is always a chance that this nasty Trojan sneaks in the system, and performs a number of harmful activities. In order to avoid any detection effort, this Trojan virus hides itself deep in the roots of the system file, and keeps changing its places. This malicious application can crash your operating system modify the windows registry, steal the confidential details, and take control of your browser. Besides that, when it alters the windows firewall, the other parasites can easily enter in the system, and you are unable to open any application on the system. It also stops you from downloading any security related software on your PC.

Please issue a Support Ticket ASAP so they can take care of this nasty virus for you!

EDIT: @ got here first, but I am going to leave my post as is to add to what she said.

There would be no difference in the detections between automatic and manual scans. It is possible that a file that was previously not makrd as bad has been found to be malicous and has thus been marked in the Cloud as malware. It could be a new variant that had not been previously detected.

The best thing to do if you are unsure about this detection being a Fale Postive would be to submit a Trouble Ticket to have Webroot Support take a quick look. This is a free service with your vlalid WSA license.

David New to the Community? Register now and start posting! Helpful Webroot Links: Download (PC) Download (Best Buy Subscription) Submit Trouble Ticket Account Console User Guides &nbsp "If you don't learn something new every day, you need to pay more attention. I often get my daily learning here so grab a chair and stay a while!" WSA-Complete (Beta PC), WSA Mobile (Android), WSA Business Mobile (Android) WSA-Endpoint (PC- Some of the time.....)

I have nearly the exact same scenario: same OS (Windows 8.1), same lack of infections using Webroot, same Windows Updates, then the same subsequent infected file from the same Trojan, same thought of false positive. The only difference for me was Webroot was to remove the Trojan upon restart, only to not be able to sign into my computer afterwards.

I've seen the same behavior on two Win 8.1 PCs since installing the 3011750 patch. Once installed, Webroot crashes Internet Explorer if you either resize the window, or open a pop-up or link in a new window. If Webroot launches a scan before you can remove the patch, it quarantines the instances of msimg32.dll it finds. In one of my cases, this blue screened the PC. Checking the event logs shows that WRusr.dll is causing the fault in IE.

Once msimg32.dll has been quarantined (that is, once a Webroot scan has been launched), almost none of the applications on the PC other than default Windows programs will run. System Restore also fails. I was able to restore by doing the following:

Open an elevated command prompt, and type the following: sfc /scannow

When that's done, go to Programs and Features and remove both 3000850 and 3011750 (I think it's the latter patch that causes the problem, but I've been removing both)

Reboot--this takes longer than normal, as the patches are removed.

This procedure restored both my machines, neither of which had any problem until applying the MS patches today and then getting some false positives from Webroot. I have not tried this on a Win 7 machien yet, but it's possible it happens there as well. Hope this helps others until Webroot can resolve the issue.

I had 4 Win 8.1 machines wth Webroot to which I applied KB3000850, and of these only one had no problem, though on it I had to override WSA's attempt to quarantine msimg32.dll. Of the others, two are hung at the login screen; I'll have to restore them from a Windows Home Sever backup, if I can. The last is usable but crippled by the missing msimg32.dll. It was a brand new computer unboxed days ago, barely used, so I think it's unlikely that it could have had an infection.

@ wrote:
I had 4 Win 8.1 machines wth Webroot to which I applied KB3000850, and of these only one had no problem, though on it I had to override WSA's attempt to quarantine msimg32.dll. Of the others, two are hung at the login screen; I'll have to restore them from a Windows Home Sever backup, if I can. The last is usable but crippled by the missing msimg32.dll. It was a brand new computer unboxed days ago, barely used, so I think it's unlikely that it could have had an infection.

I think this may prove to be a big time problem for WSA users.Not for long. Please submit a Trouble Ticket ASAP. That will give Webroot Support a bit more information about this problem. It will likely not be very long before the file is whitelisted in the Cloud.

David New to the Community? Register now and start posting! Helpful Webroot Links: Download (PC) Download (Best Buy Subscription) Submit Trouble Ticket Account Console User Guides &nbsp "If you don't learn something new every day, you need to pay more attention. I often get my daily learning here so grab a chair and stay a while!" WSA-Complete (Beta PC), WSA Mobile (Android), WSA Business Mobile (Android) WSA-Endpoint (PC- Some of the time.....)

I' ve basically got two semi-bricked systems becasue Webroot apparently either blocked or quarantined Msimg32.dll, so now I get a Windows 8.1 message that this DLL is mssing; as a result, neither Webroot WSA Complete or AVG will run on either system.

Like a previous poster, I tried two different Windows restores and they both failed.

@ wrote:
I' ve basically got two semi-bricked systems becasue Webroot apparently either blocked or quarantined Msimg32.dll, so now I get a Windows 8.1 message that this DLL is mssing; as a result, neither Webroot WSA Complete or AVG will run on either system.

Like a previous poster, I tried two different Windows restores and they both failed.

EDIT: @ got here first, so please read both posts: her information is relevant to my reply as well.

Please submit a Trouble TIcket to have further assistance by Webroot Support.

Also,I am not sure, but I believe you should be able to go into Safe Mode, open WSA, and restore the file from the Quarantine. As the False Postive has now been fixed, WSA will not re-detect it as malicious.

After restoring the file, reboot to normal mode.

I hope this helps!

David New to the Community? Register now and start posting! Helpful Webroot Links: Download (PC) Download (Best Buy Subscription) Submit Trouble Ticket Account Console User Guides &nbsp "If you don't learn something new every day, you need to pay more attention. I often get my daily learning here so grab a chair and stay a while!" WSA-Complete (Beta PC), WSA Mobile (Android), WSA Business Mobile (Android) WSA-Endpoint (PC- Some of the time.....)

@ wrote:
Unfortunately your suggestion didn't work. When I bring up Windows 8.1 in Safe Mode, I still get the same message about the missing dll, so therefore I am unable to "unquarantine" Msimg32.dll.Please go ahead and submit a Trouble Ticket to have Webroot Support take a look or provide additional suggestions/help.

Let us know if they come up with a viable solution for you please so that we can also pass it on to anyone else affected and inable to easily rollback or unquarantine.

David New to the Community? Register now and start posting! Helpful Webroot Links: Download (PC) Download (Best Buy Subscription) Submit Trouble Ticket Account Console User Guides &nbsp "If you don't learn something new every day, you need to pay more attention. I often get my daily learning here so grab a chair and stay a while!" WSA-Complete (Beta PC), WSA Mobile (Android), WSA Business Mobile (Android) WSA-Endpoint (PC- Some of the time.....)

Please do not attempt to add to the ticket or update it until you have heard from Support, that will slow down the response to you by altering the date/time stamp on the ticket. Webroot Support is usually not instant, but it is usually quite fast, within an hour or two for me usually when I file a ticket.

David New to the Community? Register now and start posting! Helpful Webroot Links: Download (PC) Download (Best Buy Subscription) Submit Trouble Ticket Account Console User Guides &nbsp "If you don't learn something new every day, you need to pay more attention. I often get my daily learning here so grab a chair and stay a while!" WSA-Complete (Beta PC), WSA Mobile (Android), WSA Business Mobile (Android) WSA-Endpoint (PC- Some of the time.....)

I wished I could. WSA does not start or run because of the missing DLL, therefore I am unable to restore this dll from quarantine using the method you describe. That is what I've been trying to explain; WSA is NOT running on the bricked systems.

WSA isnt loading because of a non-webroot related driver? Your the only reported instance of this from what I have seen. When you try to open WSA is doesnt open or gives you an error? Can you get online with either PC? I can send you a copy of this file that you can drop in the System32 folder.

Sorry for interrupting here, but I wanted to ask if it would be OK with you for us to reference your file download for any other users who have similar issues with not being able to un-quarantine the file?

David New to the Community? Register now and start posting! Helpful Webroot Links: Download (PC) Download (Best Buy Subscription) Submit Trouble Ticket Account Console User Guides &nbsp "If you don't learn something new every day, you need to pay more attention. I often get my daily learning here so grab a chair and stay a while!" WSA-Complete (Beta PC), WSA Mobile (Android), WSA Business Mobile (Android) WSA-Endpoint (PC- Some of the time.....)

Cookie policy

Cookie settings

We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.